In a world where digital infrastructure underpins modern military capabilities, the Australian Signals Directorate’s (ASD) recent partnership with Amazon Web Services (AWS) to build a sovereign Top-Secret (TS) Cloud infrastructure for defence raises both hopes and alarms. Announcement of the partnership earlier this month came just a fortnight before the global outage of CrowdStrike cybersecurity services, which crippled computers around the world and demonstrated the danger of relying on a single digital system.
The ASD’s $2 billion TS cloud initiative aims to bolster the resilience and interoperability of Australia’s defence networks, especially with the United States. Moving to AWS also promises enhanced redundancy, and partnering with it will allow Australian security agencies to access the AWS version of cutting-edge Artificial Intelligence (AI). But, while the TS Cloud promises enhanced security for defence data, it also exposes Australia to new vulnerabilities.
In the digital realm, interoperability, and the range of commercial actors responsible for designing it, introduces a new set of challenges.
TS Cloud, as a defence-focused initiative, is a new territory for Australia, but not its first foray into cultivating cloud infrastructure. Historically, Australian security agencies managed their own data centres, ensuring direct control over sensitive information. In 2018, the government launched the cloud.gov.au platform to provide secure, scalable services to its agencies. Yet, by 2021, the Digital Transformation Agency (DTA) deemed the platform redundant, turning instead to hyperscalers such as AWS, Microsoft and Google – collectively owning more than 65 per cent of the global cloud market. AWS, with its track record of building similar systems for the United States, the United Kingdom, and countries within the European Union – with Brandenburg, Germany being the first EU AWS zone – was an obvious choice for building TS Cloud, as Western governments hope AWS systems will increase digital interoperability between allies.
Interoperability has been a cornerstone of Western defence policies for decades. During the Cold War, NATO fostered seamless cooperation through shared doctrines and standards, ensuring collective security. Today, in a multipolar world fraught with strategic competition, interoperability remains crucial. In traditional weapons systems, it’s an undeniable asset. But in the digital realm, interoperability, and the range of commercial actors responsible for designing it, introduces a new set of challenges.
Unlike the relatively straightforward integration of physical systems, digital interoperability is inherently messy. It involves complex, interconnected software and networks, making systems vulnerable to cascading failures. The recent CrowdStrike software update event underscores these risks. Given the widespread use of Microsoft programs around the world, the update disabled a reported 8.5 million Microsoft Windows-supported machines, impacting critical services worldwide. The “blue screen of death” disruption, also being termed as the biggest cyber incident in history, hit various industries including retail chains, telcos, banks, airlines, and energy providers, highlighting the challenges presented by digital interoperability and the concentration of cloud services provision by only a handful of corporations.
Just a year before the CrowdStrike incident, Microsoft resisted regulatory scrutiny in the United States over the dominance of only a few cloud service providers. In response to the US Federal Trade Commission's 2023 review, Microsoft argued that “regulators should carefully avoid any intervention that might disturb the competitive offerings that have promoted the explosive innovation and growth attributable to the cloud”. Yet the CrowdStrike outage shows that the risks of concentrated cloud power are real and potentially devastating.
Accountability in the event of a top-secret data breach remains murky.
This incident reveals the urgent need for vendor diversification and stringent regulatory oversight in cloud services, including defence clouds, such as Australia’s TS Cloud. Relying on a single primary provider for an asset as critical as the defence cloud increases the risk of widespread disruptions. If a similar failure to the CrowdStrike outage occurred during wartime, the consequences could be catastrophic, potentially crippling all allied systems simultaneously and compromising defence networks.
The CrowdStrike event casts a long shadow over Australia’s partnership with AWS on the TS Cloud. Despite ostensibly inevitable discussions about multi-vendor strategies among defence authorities during the tendering process, taxpayers are largely left in the dark. There’s a glaring lack of transparency regarding AWS's partnerships and potential outsourcing within Australia. And accountability in the event of a top-secret data breach remains murky. In the CrowdStrike outage, Microsoft distanced itself despite a significant MS Windows failure in this situation. Who will be held accountable if defence data leaks from the AWS-managed cloud?
One thing is certain: in the software world, no company is immune to failure. Glitches are inevitable, often striking at the worst possible moments. This underscores the urgent need for transparency, diversification, and robust regulatory oversight to protect Australia’s digital infrastructure and national security.
The CrowdStrike outage is also a reminder for Australia to move more aggressively towards a multi-vendor cloud environment, both legislatively and operationally, to enhance resilience and reduce the impact of any single point of failure. By building and training a workforce tasked with managing complex digital multi-vendor operations, and leveraging its sovereign capabilities to manage such an environment, Australia can foster competition, innovation, and greater security.
In an increasingly interconnected world where avoiding cloud storage platforms is neither possible nor advised, the stakes for Australia are high: national security could be compromised if the cloud’s maintenance and operations are not diversified. Australia must safeguard its national security interests by ensuring its cloud ecosystem incorporates efficient built-in systems and operational redundancy, alongside multiple layers of protection enabled by multi-vendor support applications. Doing so is not only responsible but also necessary to ensure Australia can harness modern cloud technologies while mitigating risks and enhancing its cyber resilience.